add signal for Owner

[nora-codecov]

Purpose/Motivation

Shelter needs to know some things about Owner.

Links to relevant tickets

codecov/engineering-team#2299

Goes with this piece https://github.com/codecov/shelter/pull/203
Depends on codecov/shared#411

What does this PR do?

This new signal will trigger Shelter to pick up the object and store the relevant fields.

[github-actions]

This PR includes changes to shared. Please review them here: codecov/shared@067b2e4...83b3376

[adrian-codecov]

Optional: since this is used in a couple of places, would encourage to move this into its own fn and use that in every signal for readability!

[nora-codecov]

I agree - I added one, check it out!

[adrian-codecov]

Also of course, please double check shared changes are good to go.

And to update to the Shared sha after it merges

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.24%. Comparing base (897327a) to head (84cd511).
Report is 1 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #940      +/-   ##
==========================================
+ Coverage   96.23%   96.24%   +0.01%     
==========================================
  Files         825      826       +1     
  Lines       19027    19028       +1     
==========================================
+ Hits        18311    18314       +3     
+ Misses        716      714       -2     

Flag	Coverage Δ
unit	92.50% <100.00%> (+0.01%)	⬆️
unit-latest-uploader	92.50% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codecov-notifications]

Codecov Report

All modified and coverable lines are covered by tests ✅

✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[codecov-qa]

❌ 321 Tests Failed:

Tests completed	Failed	Passed	Skipped
2647	321	2326	6

View the top 3 failed tests by shortest run time

api/internal/tests/test_charts.py::CoverageChartHelpersTest::test_ordering

Stack Traces | 0.01s run time

self = <tests.test_charts.CoverageChartHelpersTest testMethod=test_ordering>

    def setUp(self):
>       self.org1 = OwnerFactory(username="org1")

.../internal/tests/test_charts.py:152: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
.../local/lib/python3.12............/site-packages/factory/base.py:40: in __call__
    return cls.create(**kwargs)
.../local/lib/python3.12............/site-packages/factory/base.py:528: in create
    return cls._generate(enums.CREATE_STRATEGY, kwargs)
.../local/lib/python3.12....../site-packages/factory/django.py:117: in _generate
    return super()._generate(strategy, params)
.../local/lib/python3.12............/site-packages/factory/base.py:465: in _generate
    return step.build()
.../local/lib/python3.12.../site-packages/factory/builder.py:262: in build
    instance = self.factory_meta.instantiate(
.../local/lib/python3.12............/site-packages/factory/base.py:317: in instantiate
    return self.factory._create(model, *args, **kwargs)
.../local/lib/python3.12....../site-packages/factory/django.py:166: in _create
    return manager.create(*args, **kwargs)
.../local/lib/python3.12.../db/models/manager.py:87: in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
.../local/lib/python3.12.../db/models/query.py:658: in create
    obj.save(force_insert=True, using=self.db)
.../local/lib/python3.12.../django_apps/codecov_auth/models.py:395: in save
    super().save(*args, **kwargs)
.../local/lib/python3.12.../db/models/base.py:814: in save
    self.save_base(
.../local/lib/python3.12.../site-packages/model_utils/tracker.py:343: in inner
    return original(instance, *args, **kwargs)
.../local/lib/python3.12.../db/models/base.py:892: in save_base
    post_save.send(
.../local/lib/python3.12.../django/dispatch/dispatcher.py:177: in send
    (receiver, receiver(signal=self, sender=sender, **named))
.../local/lib/python3.12.../integrations/django/signals_handlers.py:73: in wrapper
    return receiver(*args, **kwargs)
codecov_auth/signals.py:94: in update_owner
    ShelterPubsub.get_instance().publish(data)
codecov_auth/signals.py:34: in get_instance
    cls._instance = cls()
codecov_auth/signals.py:39: in __init__
    self.pubsub_publisher = pubsub_v1.PublisherClient()
.../local/lib/python3.12.../pubsub_v1/publisher/client.py:139: in __init__
    super().__init__(**kwargs)
.../local/lib/python3.12.../services/publisher/client.py:492: in __init__
    self._transport = Transport(
.../local/lib/python3.12.../publisher/transports/grpc.py:153: in __init__
    super().__init__(
.../local/lib/python3.12.../publisher/transports/base.py:104: in __init__
    credentials, _ = google.auth.default(
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

scopes = None, request = None, quota_project_id = None
default_scopes = ('https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/pubsub')

    def default(scopes=None, request=None, quota_project_id=None, default_scopes=None):
        """Gets the default credentials for the current environment.
    
        `Application Default Credentials`_ provides an easy way to obtain
        credentials to call Google APIs for server-to-server or local applications.
        This function acquires credentials from the environment in the following
        order:
    
        1. If the environment variable ``GOOGLE_APPLICATION_CREDENTIALS`` is set
           to the path of a valid service account JSON private key file, then it is
           loaded and returned. The project ID returned is the project ID defined
           in the service account file if available (some older files do not
           contain project ID information).
    
           If the environment variable is set to the path of a valid external
           account JSON configuration file (workload identity federation), then the
           configuration file is used to determine and retrieve the external
           credentials from the current environment (AWS, Azure, etc).
           These will then be exchanged for Google access tokens via the Google STS
           endpoint.
           The project ID returned in this case is the one corresponding to the
           underlying workload identity pool resource if determinable.
    
           If the environment variable is set to the path of a valid GDCH service
           account JSON file (`Google Distributed Cloud Hosted`_), then a GDCH
           credential will be returned. The project ID returned is the project
           specified in the JSON file.
        2. If the `Google Cloud SDK`_ is installed and has application default
           credentials set they are loaded and returned.
    
           To enable application default credentials with the Cloud SDK run::
    
                gcloud auth application-default login
    
           If the Cloud SDK has an active project, the project ID is returned. The
           active project can be set using::
    
                gcloud config set project
    
        3. If the application is running in the `App Engine standard environment`_
           (first generation) then the credentials and project ID from the
           `App Identity Service`_ are used.
        4. If the application is running in `Compute Engine`_ or `Cloud Run`_ or
           the `App Engine flexible environment`_ or the `App Engine standard
           environment`_ (second generation) then the credentials and project ID
           are obtained from the `Metadata Service`_.
        5. If no credentials are found,
           :class:`~google.auth.exceptions.DefaultCredentialsError` will be raised.
    
        .. _Application Default Credentials: https://developers.google.com\
                .../identity/protocols/application-default-credentials
        .. _Google Cloud SDK: https://cloud.google.com/sdk
        .. _App Engine standard environment: https://cloud.google.com/appengine
        .. _App Identity Service: https://cloud.google..../appengine/docs/python\
                /appidentity/
        .. _Compute Engine: https://cloud.google.com/compute
        .. _App Engine flexible environment: https://cloud.google.com\
                /appengine/flexible
        .. _Metadata Service: https://cloud.google.com/compute/docs\
                /storing-retrieving-metadata
        .. _Cloud Run: https://cloud.google.com/run
        .. _Google Distributed Cloud Hosted: https://cloud.google.com/blog/topics\
                /hybrid-cloud/announcing-google-distributed-cloud-edge-and-hosted
    
        Example::
    
            import google.auth
    
            credentials, project_id = google.auth.default()
    
        Args:
            scopes (Sequence[str]): The list of scopes for the credentials. If
                specified, the credentials will automatically be scoped if
                necessary.
            request (Optional[google.auth.transport.Request]): An object used to make
                HTTP requests. This is used to either detect whether the application
                is running on Compute Engine or to determine the associated project
                ID for a workload identity pool resource (external account
                credentials). If not specified, then it will either use the standard
                library http client to make requests for Compute Engine credentials
                or a google.auth.transport.requests.Request client for external
                account credentials.
            quota_project_id (Optional[str]): The project ID used for
                quota and billing.
            default_scopes (Optional[Sequence[str]]): Default scopes passed by a
                Google client library. Use 'scopes' for user-defined scopes.
        Returns:
            Tuple[~google.auth.credentials.Credentials, Optional[str]]:
                the current environment's credentials and project ID. Project ID
                may be None, which indicates that the Project ID could not be
                ascertained from the environment.
    
        Raises:
            ~google.auth.exceptions.DefaultCredentialsError:
                If no credentials were found, or if the credentials found were
                invalid.
        """
        from google.auth.credentials import with_scopes_if_required
        from google.auth.credentials import CredentialsWithQuotaProject
    
        explicit_project_id = os.environ.get(
            environment_vars.PROJECT, os.environ.get(environment_vars.LEGACY_PROJECT)
        )
    
        checkers = (
            # Avoid passing scopes here to prevent passing scopes to user credentials.
            # with_scopes_if_required() below will ensure scopes/default scopes are
            # safely set on the returned credentials since requires_scopes will
            # guard against setting scopes on user credentials.
            lambda: _get_explicit_environ_credentials(quota_project_id=quota_project_id),
            lambda: _get_gcloud_sdk_credentials(quota_project_id=quota_project_id),
            _get_gae_credentials,
            lambda: _get_gce_credentials(request, quota_project_id=quota_project_id),
        )
    
        for checker in checkers:
            credentials, project_id = checker()
            if credentials is not None:
                credentials = with_scopes_if_required(
                    credentials, scopes, default_scopes=default_scopes
                )
    
                # For external account credentials, scopes are required to determine
                # the project ID. Try to get the project ID again if not yet
                # determined.
                if not project_id and callable(
                    getattr(credentials, "get_project_id", None)
                ):
                    if request is None:
                        import google.auth.transport.requests
    
                        request = google.auth.transport.requests.Request()
                    project_id = credentials.get_project_id(request=request)
    
                if quota_project_id and isinstance(
                    credentials, CredentialsWithQuotaProject
                ):
                    credentials = credentials.with_quota_project(quota_project_id)
    
                effective_project_id = explicit_project_id or project_id
                if not effective_project_id:
                    _LOGGER.warning(
                        "No project ID could be determined. Consider running "
                        "`gcloud config set project` or setting the %s "
                        "environment variable",
                        environment_vars.PROJECT,
                    )
                return credentials, effective_project_id
    
>       raise exceptions.DefaultCredentialsError(_CLOUD_SDK_MISSING_CREDENTIALS)
E       google.auth.exceptions.DefaultCredentialsError: Your default credentials were not found. To set up Application Default Credentials, see https://cloud.google..../authentication/external/set-up-adc for more information.

.../local/lib/python3.12.../google/auth/_default.py:692: DefaultCredentialsError

api/internal/tests/test_permissions.py::TestRepositoryPermissionsService::test_user_is_activated_returns_true_when_owner_has_legacy_plan

Stack Traces | 0.01s run time

self = <tests.test_permissions.TestRepositoryPermissionsService testMethod=test_user_is_activated_returns_true_when_owner_has_legacy_plan>

    def test_user_is_activated_returns_true_when_owner_has_legacy_plan(self):
>       user = OwnerFactory()

.../internal/tests/test_permissions.py:107: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
.../local/lib/python3.12............/site-packages/factory/base.py:40: in __call__
    return cls.create(**kwargs)
.../local/lib/python3.12............/site-packages/factory/base.py:528: in create
    return cls._generate(enums.CREATE_STRATEGY, kwargs)
.../local/lib/python3.12....../site-packages/factory/django.py:117: in _generate
    return super()._generate(strategy, params)
.../local/lib/python3.12............/site-packages/factory/base.py:465: in _generate
    return step.build()
.../local/lib/python3.12.../site-packages/factory/builder.py:262: in build
    instance = self.factory_meta.instantiate(
.../local/lib/python3.12............/site-packages/factory/base.py:317: in instantiate
    return self.factory._create(model, *args, **kwargs)
.../local/lib/python3.12....../site-packages/factory/django.py:166: in _create
    return manager.create(*args, **kwargs)
.../local/lib/python3.12.../db/models/manager.py:87: in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
.../local/lib/python3.12.../db/models/query.py:658: in create
    obj.save(force_insert=True, using=self.db)
.../local/lib/python3.12.../django_apps/codecov_auth/models.py:395: in save
    super().save(*args, **kwargs)
.../local/lib/python3.12.../db/models/base.py:814: in save
    self.save_base(
.../local/lib/python3.12.../site-packages/model_utils/tracker.py:343: in inner
    return original(instance, *args, **kwargs)
.../local/lib/python3.12.../db/models/base.py:892: in save_base
    post_save.send(
.../local/lib/python3.12.../django/dispatch/dispatcher.py:177: in send
    (receiver, receiver(signal=self, sender=sender, **named))
.../local/lib/python3.12.../integrations/django/signals_handlers.py:73: in wrapper
    return receiver(*args, **kwargs)
codecov_auth/signals.py:94: in update_owner
    ShelterPubsub.get_instance().publish(data)
codecov_auth/signals.py:34: in get_instance
    cls._instance = cls()
codecov_auth/signals.py:39: in __init__
    self.pubsub_publisher = pubsub_v1.PublisherClient()
.../local/lib/python3.12.../pubsub_v1/publisher/client.py:139: in __init__
    super().__init__(**kwargs)
.../local/lib/python3.12.../services/publisher/client.py:492: in __init__
    self._transport = Transport(
.../local/lib/python3.12.../publisher/transports/grpc.py:153: in __init__
    super().__init__(
.../local/lib/python3.12.../publisher/transports/base.py:104: in __init__
    credentials, _ = google.auth.default(
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

scopes = None, request = None, quota_project_id = None
default_scopes = ('https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/pubsub')

    def default(scopes=None, request=None, quota_project_id=None, default_scopes=None):
        """Gets the default credentials for the current environment.
    
        `Application Default Credentials`_ provides an easy way to obtain
        credentials to call Google APIs for server-to-server or local applications.
        This function acquires credentials from the environment in the following
        order:
    
        1. If the environment variable ``GOOGLE_APPLICATION_CREDENTIALS`` is set
           to the path of a valid service account JSON private key file, then it is
           loaded and returned. The project ID returned is the project ID defined
           in the service account file if available (some older files do not
           contain project ID information).
    
           If the environment variable is set to the path of a valid external
           account JSON configuration file (workload identity federation), then the
           configuration file is used to determine and retrieve the external
           credentials from the current environment (AWS, Azure, etc).
           These will then be exchanged for Google access tokens via the Google STS
           endpoint.
           The project ID returned in this case is the one corresponding to the
           underlying workload identity pool resource if determinable.
    
           If the environment variable is set to the path of a valid GDCH service
           account JSON file (`Google Distributed Cloud Hosted`_), then a GDCH
           credential will be returned. The project ID returned is the project
           specified in the JSON file.
        2. If the `Google Cloud SDK`_ is installed and has application default
           credentials set they are loaded and returned.
    
           To enable application default credentials with the Cloud SDK run::
    
                gcloud auth application-default login
    
           If the Cloud SDK has an active project, the project ID is returned. The
           active project can be set using::
    
                gcloud config set project
    
        3. If the application is running in the `App Engine standard environment`_
           (first generation) then the credentials and project ID from the
           `App Identity Service`_ are used.
        4. If the application is running in `Compute Engine`_ or `Cloud Run`_ or
           the `App Engine flexible environment`_ or the `App Engine standard
           environment`_ (second generation) then the credentials and project ID
           are obtained from the `Metadata Service`_.
        5. If no credentials are found,
           :class:`~google.auth.exceptions.DefaultCredentialsError` will be raised.
    
        .. _Application Default Credentials: https://developers.google.com\
                .../identity/protocols/application-default-credentials
        .. _Google Cloud SDK: https://cloud.google.com/sdk
        .. _App Engine standard environment: https://cloud.google.com/appengine
        .. _App Identity Service: https://cloud.google..../appengine/docs/python\
                /appidentity/
        .. _Compute Engine: https://cloud.google.com/compute
        .. _App Engine flexible environment: https://cloud.google.com\
                /appengine/flexible
        .. _Metadata Service: https://cloud.google.com/compute/docs\
                /storing-retrieving-metadata
        .. _Cloud Run: https://cloud.google.com/run
        .. _Google Distributed Cloud Hosted: https://cloud.google.com/blog/topics\
                /hybrid-cloud/announcing-google-distributed-cloud-edge-and-hosted
    
        Example::
    
            import google.auth
    
            credentials, project_id = google.auth.default()
    
        Args:
            scopes (Sequence[str]): The list of scopes for the credentials. If
                specified, the credentials will automatically be scoped if
                necessary.
            request (Optional[google.auth.transport.Request]): An object used to make
                HTTP requests. This is used to either detect whether the application
                is running on Compute Engine or to determine the associated project
                ID for a workload identity pool resource (external account
                credentials). If not specified, then it will either use the standard
                library http client to make requests for Compute Engine credentials
                or a google.auth.transport.requests.Request client for external
                account credentials.
            quota_project_id (Optional[str]): The project ID used for
                quota and billing.
            default_scopes (Optional[Sequence[str]]): Default scopes passed by a
                Google client library. Use 'scopes' for user-defined scopes.
        Returns:
            Tuple[~google.auth.credentials.Credentials, Optional[str]]:
                the current environment's credentials and project ID. Project ID
                may be None, which indicates that the Project ID could not be
                ascertained from the environment.
    
        Raises:
            ~google.auth.exceptions.DefaultCredentialsError:
                If no credentials were found, or if the credentials found were
                invalid.
        """
        from google.auth.credentials import with_scopes_if_required
        from google.auth.credentials import CredentialsWithQuotaProject
    
        explicit_project_id = os.environ.get(
            environment_vars.PROJECT, os.environ.get(environment_vars.LEGACY_PROJECT)
        )
    
        checkers = (
            # Avoid passing scopes here to prevent passing scopes to user credentials.
            # with_scopes_if_required() below will ensure scopes/default scopes are
            # safely set on the returned credentials since requires_scopes will
            # guard against setting scopes on user credentials.
            lambda: _get_explicit_environ_credentials(quota_project_id=quota_project_id),
            lambda: _get_gcloud_sdk_credentials(quota_project_id=quota_project_id),
            _get_gae_credentials,
            lambda: _get_gce_credentials(request, quota_project_id=quota_project_id),
        )
    
        for checker in checkers:
            credentials, project_id = checker()
            if credentials is not None:
                credentials = with_scopes_if_required(
                    credentials, scopes, default_scopes=default_scopes
                )
    
                # For external account credentials, scopes are required to determine
                # the project ID. Try to get the project ID again if not yet
                # determined.
                if not project_id and callable(
                    getattr(credentials, "get_project_id", None)
                ):
                    if request is None:
                        import google.auth.transport.requests
    
                        request = google.auth.transport.requests.Request()
                    project_id = credentials.get_project_id(request=request)
    
                if quota_project_id and isinstance(
                    credentials, CredentialsWithQuotaProject
                ):
                    credentials = credentials.with_quota_project(quota_project_id)
    
                effective_project_id = explicit_project_id or project_id
                if not effective_project_id:
                    _LOGGER.warning(
                        "No project ID could be determined. Consider running "
                        "`gcloud config set project` or setting the %s "
                        "environment variable",
                        environment_vars.PROJECT,
                    )
                return credentials, effective_project_id
    
>       raise exceptions.DefaultCredentialsError(_CLOUD_SDK_MISSING_CREDENTIALS)
E       google.auth.exceptions.DefaultCredentialsError: Your default credentials were not found. To set up Application Default Credentials, see https://cloud.google..../authentication/external/set-up-adc for more information.

.../local/lib/python3.12.../google/auth/_default.py:692: DefaultCredentialsError

api/public/v2/tests/test_api_commit_viewset.py::RepoCommitUploadsTestCase::test_commit_uploads_not_authenticated

Stack Traces | 0.01s run time

self = <test_api_commit_viewset.RepoCommitUploadsTestCase testMethod=test_commit_uploads_not_authenticated>

    def setUp(self) -> None:
>       self.org = OwnerFactory(username="codecov", service="github")

.../v2/tests/test_api_commit_viewset.py:56: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
.../local/lib/python3.12............/site-packages/factory/base.py:40: in __call__
    return cls.create(**kwargs)
.../local/lib/python3.12............/site-packages/factory/base.py:528: in create
    return cls._generate(enums.CREATE_STRATEGY, kwargs)
.../local/lib/python3.12....../site-packages/factory/django.py:117: in _generate
    return super()._generate(strategy, params)
.../local/lib/python3.12............/site-packages/factory/base.py:465: in _generate
    return step.build()
.../local/lib/python3.12.../site-packages/factory/builder.py:262: in build
    instance = self.factory_meta.instantiate(
.../local/lib/python3.12............/site-packages/factory/base.py:317: in instantiate
    return self.factory._create(model, *args, **kwargs)
.../local/lib/python3.12....../site-packages/factory/django.py:166: in _create
    return manager.create(*args, **kwargs)
.../local/lib/python3.12.../db/models/manager.py:87: in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
.../local/lib/python3.12.../db/models/query.py:658: in create
    obj.save(force_insert=True, using=self.db)
.../local/lib/python3.12.../django_apps/codecov_auth/models.py:395: in save
    super().save(*args, **kwargs)
.../local/lib/python3.12.../db/models/base.py:814: in save
    self.save_base(
.../local/lib/python3.12.../site-packages/model_utils/tracker.py:343: in inner
    return original(instance, *args, **kwargs)
.../local/lib/python3.12.../db/models/base.py:892: in save_base
    post_save.send(
.../local/lib/python3.12.../django/dispatch/dispatcher.py:177: in send
    (receiver, receiver(signal=self, sender=sender, **named))
.../local/lib/python3.12.../integrations/django/signals_handlers.py:73: in wrapper
    return receiver(*args, **kwargs)
codecov_auth/signals.py:94: in update_owner
    ShelterPubsub.get_instance().publish(data)
codecov_auth/signals.py:34: in get_instance
    cls._instance = cls()
codecov_auth/signals.py:39: in __init__
    self.pubsub_publisher = pubsub_v1.PublisherClient()
.../local/lib/python3.12.../pubsub_v1/publisher/client.py:139: in __init__
    super().__init__(**kwargs)
.../local/lib/python3.12.../services/publisher/client.py:492: in __init__
    self._transport = Transport(
.../local/lib/python3.12.../publisher/transports/grpc.py:153: in __init__
    super().__init__(
.../local/lib/python3.12.../publisher/transports/base.py:104: in __init__
    credentials, _ = google.auth.default(
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

scopes = None, request = None, quota_project_id = None
default_scopes = ('https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/pubsub')

    def default(scopes=None, request=None, quota_project_id=None, default_scopes=None):
        """Gets the default credentials for the current environment.
    
        `Application Default Credentials`_ provides an easy way to obtain
        credentials to call Google APIs for server-to-server or local applications.
        This function acquires credentials from the environment in the following
        order:
    
        1. If the environment variable ``GOOGLE_APPLICATION_CREDENTIALS`` is set
           to the path of a valid service account JSON private key file, then it is
           loaded and returned. The project ID returned is the project ID defined
           in the service account file if available (some older files do not
           contain project ID information).
    
           If the environment variable is set to the path of a valid external
           account JSON configuration file (workload identity federation), then the
           configuration file is used to determine and retrieve the external
           credentials from the current environment (AWS, Azure, etc).
           These will then be exchanged for Google access tokens via the Google STS
           endpoint.
           The project ID returned in this case is the one corresponding to the
           underlying workload identity pool resource if determinable.
    
           If the environment variable is set to the path of a valid GDCH service
           account JSON file (`Google Distributed Cloud Hosted`_), then a GDCH
           credential will be returned. The project ID returned is the project
           specified in the JSON file.
        2. If the `Google Cloud SDK`_ is installed and has application default
           credentials set they are loaded and returned.
    
           To enable application default credentials with the Cloud SDK run::
    
                gcloud auth application-default login
    
           If the Cloud SDK has an active project, the project ID is returned. The
           active project can be set using::
    
                gcloud config set project
    
        3. If the application is running in the `App Engine standard environment`_
           (first generation) then the credentials and project ID from the
           `App Identity Service`_ are used.
        4. If the application is running in `Compute Engine`_ or `Cloud Run`_ or
           the `App Engine flexible environment`_ or the `App Engine standard
           environment`_ (second generation) then the credentials and project ID
           are obtained from the `Metadata Service`_.
        5. If no credentials are found,
           :class:`~google.auth.exceptions.DefaultCredentialsError` will be raised.
    
        .. _Application Default Credentials: https://developers.google.com\
                .../identity/protocols/application-default-credentials
        .. _Google Cloud SDK: https://cloud.google.com/sdk
        .. _App Engine standard environment: https://cloud.google.com/appengine
        .. _App Identity Service: https://cloud.google..../appengine/docs/python\
                /appidentity/
        .. _Compute Engine: https://cloud.google.com/compute
        .. _App Engine flexible environment: https://cloud.google.com\
                /appengine/flexible
        .. _Metadata Service: https://cloud.google.com/compute/docs\
                /storing-retrieving-metadata
        .. _Cloud Run: https://cloud.google.com/run
        .. _Google Distributed Cloud Hosted: https://cloud.google.com/blog/topics\
                /hybrid-cloud/announcing-google-distributed-cloud-edge-and-hosted
    
        Example::
    
            import google.auth
    
            credentials, project_id = google.auth.default()
    
        Args:
            scopes (Sequence[str]): The list of scopes for the credentials. If
                specified, the credentials will automatically be scoped if
                necessary.
            request (Optional[google.auth.transport.Request]): An object used to make
                HTTP requests. This is used to either detect whether the application
                is running on Compute Engine or to determine the associated project
                ID for a workload identity pool resource (external account
                credentials). If not specified, then it will either use the standard
                library http client to make requests for Compute Engine credentials
                or a google.auth.transport.requests.Request client for external
                account credentials.
            quota_project_id (Optional[str]): The project ID used for
                quota and billing.
            default_scopes (Optional[Sequence[str]]): Default scopes passed by a
                Google client library. Use 'scopes' for user-defined scopes.
        Returns:
            Tuple[~google.auth.credentials.Credentials, Optional[str]]:
                the current environment's credentials and project ID. Project ID
                may be None, which indicates that the Project ID could not be
                ascertained from the environment.
    
        Raises:
            ~google.auth.exceptions.DefaultCredentialsError:
                If no credentials were found, or if the credentials found were
                invalid.
        """
        from google.auth.credentials import with_scopes_if_required
        from google.auth.credentials import CredentialsWithQuotaProject
    
        explicit_project_id = os.environ.get(
            environment_vars.PROJECT, os.environ.get(environment_vars.LEGACY_PROJECT)
        )
    
        checkers = (
            # Avoid passing scopes here to prevent passing scopes to user credentials.
            # with_scopes_if_required() below will ensure scopes/default scopes are
            # safely set on the returned credentials since requires_scopes will
            # guard against setting scopes on user credentials.
            lambda: _get_explicit_environ_credentials(quota_project_id=quota_project_id),
            lambda: _get_gcloud_sdk_credentials(quota_project_id=quota_project_id),
            _get_gae_credentials,
            lambda: _get_gce_credentials(request, quota_project_id=quota_project_id),
        )
    
        for checker in checkers:
            credentials, project_id = checker()
            if credentials is not None:
                credentials = with_scopes_if_required(
                    credentials, scopes, default_scopes=default_scopes
                )
    
                # For external account credentials, scopes are required to determine
                # the project ID. Try to get the project ID again if not yet
                # determined.
                if not project_id and callable(
                    getattr(credentials, "get_project_id", None)
                ):
                    if request is None:
                        import google.auth.transport.requests
    
                        request = google.auth.transport.requests.Request()
                    project_id = credentials.get_project_id(request=request)
    
                if quota_project_id and isinstance(
                    credentials, CredentialsWithQuotaProject
                ):
                    credentials = credentials.with_quota_project(quota_project_id)
    
                effective_project_id = explicit_project_id or project_id
                if not effective_project_id:
                    _LOGGER.warning(
                        "No project ID could be determined. Consider running "
                        "`gcloud config set project` or setting the %s "
                        "environment variable",
                        environment_vars.PROJECT,
                    )
                return credentials, effective_project_id
    
>       raise exceptions.DefaultCredentialsError(_CLOUD_SDK_MISSING_CREDENTIALS)
E       google.auth.exceptions.DefaultCredentialsError: Your default credentials were not found. To set up Application Default Credentials, see https://cloud.google..../authentication/external/set-up-adc for more information.

.../local/lib/python3.12.../google/auth/_default.py:692: DefaultCredentialsError

To view individual test run time comparison to the main branch, go to the Test Analytics Dashboard

[adrian-codecov]

Nice! This looks great! A last nitpick, could we move this to somewhere like utils/shelter.py in the root folder, or anywhere you see fit? This isn't strictly a codecov_auth responsibility so it makes sense it is its own standalone thing

[nora-codecov]

agree! moved!